From ed74e18fffa120233e203a617bbb4a3ca4da0183 Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Tue, 31 Oct 2023 09:36:42 -0700 Subject: [PATCH] Add e2e test workflow Signed-off-by: Marcela Melara --- .github/actions/scai-gen-assert/action.yml | 20 +++--- .github/actions/scai-gen-report/action.yml | 5 +- .github/workflows/test-e2e-flow.yml | 78 ++++++++++++++++++++++ scai-gen/cmd/sigstore.go | 4 +- 4 files changed, 95 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/test-e2e-flow.yml diff --git a/.github/actions/scai-gen-assert/action.yml b/.github/actions/scai-gen-assert/action.yml index 0a08a7f..2dbfd77 100644 --- a/.github/actions/scai-gen-assert/action.yml +++ b/.github/actions/scai-gen-assert/action.yml @@ -4,21 +4,24 @@ inputs: attribute: description: "The attribute being asserted" required: true - type: string evidence-file: - description: "The file containing the evidence. This action assumes the evidence was an artifact uploaded during a previous step." + description: "The file containing the evidence. This action assumes the evidence was an artifact uploaded during a previous step, unless otherwise specified." required: true - type: string evidence-type: description: "The media type of the evidence" required: optional default: "application/json" - type: string + download-evidence: + description: "Flag to download the evidence artifact" + required: false + default: 'true' assertion-name: description: "The artifact name of the unsigned SCAI AttributeAssertion. The file must have the .json extension. Defaults to -assert.json when not specified." required: false default: "scai-assertion.json" - type: string + path: + description: "The path to save the generated assertion" + default: "$GITHUB_WORKSPACE/temp" outputs: assertion-name: description: "Filename of the generated AttributeAssertion" @@ -29,6 +32,7 @@ runs: steps: - name: Get the evidence artifact id: get-evidence + if: ${{ inputs.download-evidence == 'true' }} uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: "${{ inputs.evidence-file }}" @@ -39,12 +43,12 @@ runs: with: name: "${{ inputs.evidence-file }}" media-type: "${{ inputs.evidence-type }}" - path: "${{ steps.get-evidence.outputs.download-path }}" rd-name: "${{ inputs.evidence-file }}-desc.json" - name: Run scai-gen assert id: scai-gen-assert shell: bash run: | - scai-gen assert -e ${{ steps.gen-rd.outputs.file-rd-name }} -o ${{ steps.get-evidence.outputs.download-path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}} - echo "assertion-name=${{ steps.get-evidence.outputs.download-path }}/${{ inputs.assertion-name }}" >> "$GITHUB_OUTPUT" + mkdir -p ${{ inputs.path }} + scai-gen assert -e ${{ steps.gen-rd.outputs.file-rd-name }} -o ${{ inputs.path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}} + echo "assertion-name=${{ inputs.path }}/${{ inputs.assertion-name }}" >> "$GITHUB_OUTPUT" diff --git a/.github/actions/scai-gen-report/action.yml b/.github/actions/scai-gen-report/action.yml index 7ea5276..930d5d7 100644 --- a/.github/actions/scai-gen-report/action.yml +++ b/.github/actions/scai-gen-report/action.yml @@ -32,14 +32,13 @@ runs: run: | mkdir -p ${{ inputs.report-path }} scai-gen report -s ${{ inputs.subject }} -o ${{ inputs.report-path }}/${{ inputs.report-name }} ${{ inputs.attr-assertions }} - scai-gen sigstore -o ${{ inputs.report-path }}/signed.${{ inputs.report-name }} ${{ inputs.report-path }}/${{ inputs.report-name }} - echo "report-name=${{ inputs.report-path }}/signed.${{ inputs.report-name }}" >> "$GITHUB_OUTPUT" + echo "report-name=${{ inputs.report-path }}/${{ inputs.report-name }}" >> "$GITHUB_OUTPUT" ls ${{ inputs.report-path }} - name: Upload the signed SCAI AttributeReport id: upload-assert uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: - name: signed.${{ inputs.report-name }} + name: ${{ inputs.report-name }} path: ${{ steps.scai-gen-report.outputs.report-name }} retention-days: 15 diff --git a/.github/workflows/test-e2e-flow.yml b/.github/workflows/test-e2e-flow.yml new file mode 100644 index 0000000..f6c3cfc --- /dev/null +++ b/.github/workflows/test-e2e-flow.yml @@ -0,0 +1,78 @@ +name: Test composite actions on SBOM+SLSA example +on: + push: + branch: + - main + paths: + - "scai-gen/**" + # Want to trigger these tests whenever the Go CLI or + # APIs are modified + pull_request: + paths: + - "scai-gen/**" + +jobs: + sbom-slsa-ex: + runs-on: ubuntu-22.04 + permissions: + id-token: write # Needed to sign + steps: + - name: Install Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe + with: + go-version: 1.20.x + + - name: Checkout updated scai-gen CLI tools + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + + - name: Setup Env + run: | + echo "$(go env GOPATH)/bin" >> $GITHUB_PATH + + - name: Install scai-gen CLI tools + shell: bash + run: | + go install ./scai-gen + mkdir -p temp + + - name: Generate SBOM SCAI AttributeAssertion + id: gen-sbom-assert + uses: marcelamelara/scai-demos/.github/actions/scai-gen-assert@add-scai-reusable-workflows + with: + attribute: "HasSBOM" + evidence-file: "examples/sbom+slsa/metadata/pdo_client_wawaka.spdx.json" + evidence-type: "application/json" + download-evidence: false + assertion-name: "hassbom-assertion.json" + + - name: Generate SLSA Provenance SCAI AttributeAssertion + id: gen-slsa-assert + uses: marcelamelara/scai-demos/.github/actions/scai-gen-assert@add-scai-reusable-workflows + with: + attribute: "HasSLSA" + evidence-file: "examples/sbom+slsa/metadata/pdo_client_wawaka.provenance.json" + evidence-type: "application/vnd.in-toto.provenance+dsse" + download-evidence: false + assertion-name: "hasslsa-assertion.json" + + - name: Generate SCAI AttributeReport + id: gen-sbom-slsa-report + uses: marcelamelara/scai-demos/.github/actions/scai-gen-report@add-scai-reusable-workflows + with: + subject: "examples/sbom+slsa/metadata/container-img-desc.json" + attr-assertions: "${{ steps.gen-sbom-assert.outputs.assertion-name }} ${{ steps.gen-slsa-assert.outputs.assertion-name }}" + report-name: "evidence-collection.scai.json" + + - name: Sign and upload generated SCAI report (Sigstore) + id: sign-report + shell: bash + run: | + scai-gen sigstore -o ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig ${{ steps.gen-sbom-slsa-report.outputs.report-name }} + + - name: Upload the signed SCAI AttributeReport + id: upload-signed-report + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: ${{ steps.gen-sbom-slsa-report.inputs.report-name }}.sig + path: ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig + retention-days: 15 diff --git a/scai-gen/cmd/sigstore.go b/scai-gen/cmd/sigstore.go index 4890783..b7f954d 100644 --- a/scai-gen/cmd/sigstore.go +++ b/scai-gen/cmd/sigstore.go @@ -70,7 +70,9 @@ func getNewFulcioSigner(ctx context.Context) (*fulcio.Signer, error) { return fulcio.NewSigner(ctx, ko, sv) } -func signWithSigstore(_ *cobra.Command, args []string) error { +func signWithSigstore(_ *cobra.Command, args []string) error { + fmt.Println("EXPERIMENTAL FEATURE. DO NOT USE IN PRODUCTION.") + statementFile := args[0] statement := &ita.Statement{} err := fileio.ReadPbFromFile(statementFile, statement)